İCO. 


Information Commissioner's Office 


ICO call for views on a direct marketing code 
of practice 


The Information Commissioner is calling for views on a direct 
marketing code of practice. 


The Data Protection Act 2018 requires the Commissioner to produce 
a code of practice that provides practical guidance and promotes 
good practice in regard to direct marketing. 


While direct marketing is an important and useful tool to help 
organisations engage with people in order to grow their business or 
to publicise and gain support for their causes, it can also be 
intrusive and have a negative impact on people if done badly. This 
can cause reputational damage to organisations and, in some cases, 
result in fines or other regulatory action for breaking data protection 
laws. 


So it is important that organisations ensure their marketing 
activities are compliant with data protection legislation (the General 
Data Protection Regulation and Data Protection Act 2018) and, 
where necessary, the Privacy and Electronic Communications 
Regulations 2003 (PECR). 


We have previously published detailed direct marketing guidance. 
The new code will build on that guidance and address the aspects of 
the new legislation relevant to direct marketing such as 
transparency and lawful bases for processing, as well as covering 
the rules on electronic marketing (for example emails, text 
messages, phone calls) under PECR. 


The European Union is in the process of replacing the current e- 
privacy law (and therefore PECR) with a new ePrivacy Regulation 
(ePR). However the new ePR is yet to be agreed and there is no 
certainty about what the final rules will be. Because of this we 
intend for the direct marketing code to only cover the current PECR 
rules until the ePR is agreed. Once the ePR is finalised and the UK 
position in relation to it is clear we will produce an updated version 
of the code which takes this into account as appropriate. 


This call for views is the first stage of the consultation process. The 
Commissioner is seeking input from relevant stakeholders, including 
trade associations, data subjects and those representing the 
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Information Commissioners Office 


interests of data subjects. We will use the responses we receive to 
inform our work in developing the code. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Call for Views 
Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the call for views, please 
email the Direct Marketing Code team. 


Please send us your views by 24 December 2018. 


Privacy statement 


For this call for views we will publish responses received from 
organisations but will remove any personal data before publication. 
We will not publish responses from individuals. For more 
information about what we do with personal data please see our 


privacy notice. 
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İCO. 


Information Commissioner's Office 


uestions 


Q1 The code will address the changes in data protection 
legislation and the implications for direct marketing. What 
changes to the data protection legislation do you think we 
should focus on in the direct marketing code? 


Further clarity on the application of the three-stage legitimate 
interests assessment to different marketing scenarios, to enable 
clearer advice to be given. For example, the scenarios in which 
"reasonable expectation" would be considered satisfied, and the 
circumstances in which an opt-out from use of data for marketing 
would be necessary (not for the purposes of a PECR soft opt-in, 
but rather to satisfy the balancing test of an LIA). 


The practical application of the Article 14 fair processing notice 
requirement to data obtained by controllers from third party data 
brokers, or where publicly available information is obtained 
directly from web sources e.g. LinkedIn. 


Q2 Apart from the recent changes to data protection legislation 
are there other developments that are having an impact on 
your organisation’s direct marketing practices that you think 
we should address in the code? 


[L] ves 
No 


Q3 If yes please specify 


Not applicable - this response is submitted by a committee of 
data protection lawyers, not a controller carrying out marketing. 


Q4 We are planning to produce the code before the draft ePrivacy 
Regulation (ePR) is agreed. We will then produce a revised 
code once the ePR becomes law. Do you agree with this 
approach? 
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Yes 


[| ] No 


® 
Q5__If no please explain why you disagree 1CO. 


Information Commissioner's Office 


Q6 Is the content of the ICO’s existing direct marketing guidance 
relevant to the marketing that your organisation is involved 


in? 
LI yes 
No 


Q7 If no what additional areas would you like to see covered? 


Not applicable - this response is submitted by a committee of 
data protection lawyers, not a controller carrying out marketing. 


Q8 Isit easy to find information in our existing direct marketing 
guidance? 


Yes 
[_] No 


Q9 If no, do you have any suggestions on how we should 
structure the direct marketing code? 
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Q10 Please provide details of any case studies or marketing 
scenarios that you would like to see included in the direct 
marketing code. 


İCO. 


Information Canimissioners Office 


1. Please provide more clarity and further examples around what 
it means to "instigate" communications (and therefore who has 
responsibility for compliance in relation to communications that 
are sent to recipients). The ICO's website currently cites an 
example where a controller uses a contractor to contact third 
parties. In that case, it is clear that the instructing controller 
should be responsible for the communication (as well as the 
contractor in some cases). However, more nuanced guidance on 
the factors used to determine "instigation" would be welcome, to 
make it easier to allocate responsibility. 


For example, a company provides a service to potential hosts of 
parties at which the company's products are offered to party 
guests. In this case, the host can use their own private database 
of contacts to communicate invitations to their friends to attend 
the party as guests. The company facilitates this, and the 
objective is to have its products marketed at the party (usually by 
a sales consultant it sends to the party), but it has not collected 
the guests' contact details at this point. By offering the service to 
the host, is the company "instigating" the communications? If so, 
how can the company obtain consents from the guests if it has 
not collected their contact details? Does the company have to rely 
upon the host (a private individual) to obtain appropriate third 
party consents in favour of the company? How could the host do 
this in practice? In relying on the host, how would the company 
be able to demonstrate consent as required by Art.7(1) of GDPR? 


On a similar point, it would be very helpful to have greater clarity 
on the acceptable boundaries for "refer a friend" viral marketing. 


2. Clarification regarding the extent to which active consent to a 
privacy policy can constitute valid consent (a sufficiently clear and 
affirmative action) to marketing activities referred to in that 


policy. 


For example, conference organisers may state in their privacy 
policy for attendees that, by allowing an exhibitor to scan their 
conference badge, the attendee is indicating their consent to 
receive marketing emails from that exhibitor. They then obtain 
consent to the privacy policy. 


Would this be considered a sufficiently clear, affirmative action, if 
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the privacy policy has been agreed to? Arguably, this is not 
sufficiently specific or clear. 


3. Clarity as to whether the "sale of a product or service" limb of 
the 'soft opt in' in PECR can be satisfied in situations where an 
organisation's service (Organisation A) is provided free to 
consumers (e.g. an app or online service) but funded by third 
parties (e.g. third party advertising, or a third party organisation 
who pays for its services to be on the site). In other words, does 
the ‘sale’ need to be a direct (monetary) sale paid by the 
customer or would it cover, say, the offering of a price comparison 
site or free app where funded by other means. 


4. Can 'similar goods or services’ for the purposes of the PECR 
soft opt-in include the marketing of a third party's goods or 
services where those goods or services are provided as part of the 
collecting organisation's service. For example, could a bank 
market a feature of one of its banking products comprised of 
extras offered by third parties (e.g. discounts at retailers, car 
breakdown cover etc.) to customers who held other banking 
products with them. To what extent are the following 
determinative: 


(a) whether the service is provided by the bank, but sub- 
contracted to a third party provider, or whether the bank refers 
the customer directly to the third party provider, perhaps in 
return for commission; 


(b) the extent to which the services offered are sufficiently similar 
to the core services of the bank (even if the service is a direct 
service of the bank, albeit sub-contracted to the provider). 


5. Confirmation that organisations who may not have been 
required to seek consent (due to the application of soft-opt in and 
legitimate interests ground or which already had GDPR standard 
valid consent) but who sought to obtain fresh consent of 
individuals on its marketing databases prior to 25 May can no 
longer contact individuals who did not consent. 


6. The extent to which intra-group data-sharing for analytics and 
cross-brand business intelligence, and in order to obtain a single 
customer view, might be considered acceptable using legitimate 
interests. Whilst marketing e-mails by one brand to the 
customers of an affiliate’s brand would face a tougher analysis, in 
what circumstances could cross-brand analytics be justified using 
legitimate interests? 
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Q11 


Do you have any other suggestions for the direct marketing 
code? 


Clearer/more discussion around the sale and purchase of 
marketing lists as part of a business sale. 

Practical guidance on how organisations should check 
against the TPS/ CTPS (How often are you supposed to do 
this? Every time you make a marketing call?) 

The consent guidance suggests refreshing consents 
regularly - how should this be done in practice? 

Provision of clear (updated) marketing consent examples, 
particularly illustrating different mechanics for 
demonstrating a clear, affirmative action. 

Clarity about how to comply with Art.21(4) i.e. what is 
required to ensure that the right to object to marketing is 
"explicitly" brought to the attention of the data subject, and 
what would satisfy the requirement to ensure that the 
information is presented "clearly and separately" from other 
information. 

Further examples to clarify what constitutes "marketing". 
For example, if a company invites its clients to an event to 
promote diversity, it is not promoting the products and 
services of the company. However, would this constitute 
marketing on the basis that the company is promoting itself 
and its values generally? Similarly, newsletters and press 
releases to journalists can cause uncertainty. 


About you 


Q12 


OUUU 


Are you answering these questions as? 
A public sector worker 
A private sector worker 
A third or voluntary sector worker 
A member of the public 
A representative of a trade association 


A data subject 
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[| An ICO employee 


Other 


If you answered ‘other’ please specify: 


City of London Law Society Data Law Committee. 


The City of London Law Society ("CLLS") represents 
approximately 17,000 City lawyers through individual and 
corporate membership including some of the largest international 
law firms in the world. These law firms advise a variety of clients 
from multinational companies and financial institutions to 
Government departments, often in relation to complex, 
multijurisdictional legal issues. The CLLS responds to a variety of 
consultations on issues of importance to its members through its 
19 specialist committees. 


This response has been prepared by the CLLS Data law 


Committee. ico. 


Information Conmnalssioner’s Office 


Q13 Please provide the name of the organisation that you are 
representing. 


As above 


Q14 We may want to contact you about some of the points you 
have raised. If you are happy for us to do this please provide 
your email address: 


Thank you for taking the time to share your views and experience. 
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